Point-and-Click Gmail Hacking Shown at Black Hat

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"

Slow News day?

[OverlordQ]

Somebody intercepted plaintext on an open network . . . . did I miss something?

Re:Slow News day?

[Cancel-Or-Allow]

The funny thing is, gmail offers the ability to sign-in securely, but not an option to keep it SSL throughout the entire session. It works when you manually change the http to https in the url after signed in, but there is still brief moment of unsecured traffic during this process.

Re:Slow News day?

if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in.

You have no idea how SSL works.

Re:Slow News day?

[The+Velour+Fog]

Also, logging in via SSL doesn't always work either - if the traffic is sniffed as the browser is sending the SSL requests, one could sniff the SSL key and just use that to get in. SSL uses Diffie-Hellman key exchange so no unencrypted key is ever sent

Re:Slow News day?

[zippthorne]

That's odd. I go to https://mail.google.com/ and at no time during the login process do I ever see the address bar go from yellow to white. Are you sure it still works the way you say? Or is it sending something unencrypted so fast that I'm just not noticing (which would be kind of worrying).

Re:Slow News day?

[Kartoffel]

That's easy enough to fix with a Firefox plugin: http://www.customizegoogle.com/

Re:Slow News day?

[tom17]

Seemingly neither do the people in the comments section at the bottom of TFA :-(

Worrying.

Re:Slow News day?

[kdemetter]

it is possible however . it basically works be faking the certificate .
Cain does it that way . The user does get a notification that the certificate is untrusted , but most people will just allow it anyway ( otherwise they can't use the webpage ) .

Re:Slow News day?

[Aeiri]

This is the first time it's been compiled into an automated tool. No it's not, there's another that's better and it's been around for a long while. It was once Ethereal, and now called Wireshark.

Re:Slow News day?

[tizan]

I believe if you use https://gmail.google.com/ (note gmail instead of mail) your whole mail session is always encripted and not the login page only.

Re:Slow News day?

[gpuk]

That is the correct behaviour.

Essentially, if you enter via http://mail.google.com/ Google remembers this and encrypts only the login process and then reverts back to plain text. If you enter via https://mail.google.com/ your session remains encrypted throughout.

Re:Slow News day?

[Burz]

This takes way more work, and there will be a popup that says "This certificate has not been signed by a trusted authority, someone might be trying to sniff you out". No one with a tiny bit of computer security knowledge would fall for this, but a clueless user who clicks "Allow" on everything probably would be.

And I try to educate everyone I know about handling certificate warnings. They are all worried about Internet insecurity, and I tell them their connection (assuming they have a clean systems) WILL be very secure if the browser displays the lock symbol and they have not chosen to bypass a certificate warning.

This, along with making people more aware of address domains in pages and emails, is what everyone frequenting these techie/nerd sites should be explaining to everyone around them. Tell them that whatever confidence they got from "doing things" on the Internet by clicking on pretty pictures is probably false and they may need to learn crucial (if simple) rules before they get in trouble.

The Internet now is like the common roadway in the 1920s: No one has taken drivers' ed, and even basic computer literacy courses don't teach about SSL!

Trojans are another huge problem, and should scarcely exist. However our modern GUI interfaces have been designed to pictographically confuse data with code, as documents and the programs that use them usually have the same/similar icons. BeOS was an exception where all code was shown with a '!' prefix. I think Ubuntu has been trying out a similar scheme. No script or binary should EVER be allowed to look like a jpeg or other data file.

Re:Slow News day?

[SanityInAnarchy]

Because this means more computing for google servers.

This is Google we're talking about. They can take it.

I mean, seriously, even an old 200 mhz Linux box set up as a server can do crypto at wire speed (100 mbit ethernet). I'm sure it takes them more cycles to spellcheck it for you.

And also because your mail is sent as plain text to the recipient's mail server (and it came as plain text on google server). So it would be useless to crypt only the first (or last) part of the way.

"Not entirely secure" is not the same thing as "useless".

Consider: The majority of most websites are mostly served as plain HTML over HTTP. Is it still "useless" for me to admin mine using SSH instead of unsecured FTP? I think not.

The point I am making here is, if your communications with Gmail are unencrypted, it makes it possible for someone to not only intercept the content of the message, but alter it -- they could, in fact, hijack your whole session, gain access to your archived mail, and send mail pretending to be you. All of this is theoretically possible with that SMTP connection between Gmail and another mailserver, but it's also insanely difficult to get anywhere close to what you can get by hijacking the session.

And there's even a point to encrypting it, as opposed to just signing it. Well, two points, actually:

1. Browsers include SSL natively, but there's no spec for just signing something and sending it plaintext. Therefore, it would have to be done in JavaScript, which is MUCH slower.
2. SMTP is only used for connections between Gmail and other servers. Mail sent between you and another Gmail address is entirely secure, once it gets to the server. Why let people hijack your session and make it insecure?

I mean, I tend to agree with you somewhat -- I only really do email from the one machine that has my GPG key, and I wouldn't use Gmail for more than backup. I don't see much point to webmail, because I never login to anything from a computer that isn't my own, because I don't like exposing myself to keyloggers.

But even if it can't be very secure, why make it even less secure than it can be?

Could be fixed easily by Google. Shame.

[OpenGLFan]

This is shameful. It's 2007, Google. SSL has been a (reasonable) standard since 1996. USE IT.

Good reason to install Better GMail!

[Mr.+X]

The Firefox extension forces GMail to always run over SSL. It's great!

Re:Good reason to install Better GMail!

[afidel]

I think you should have linked to the Mozilla addons page. I know I wouldn't install a firefox addon from a random site with the name hacker in the URL.

Re:I give 10 minutes

[Constantine+XVI]

Apple has nothing at all to do with it.

Correct me if I'm wrong but

[trifish]

Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid. The only situation where this solution may get a bit annoying is if you're behind a load-balancing proxy, which changes your IP address on every request (fortunately, this is somewhat rare.) It's better than allow easy hijacks...

Re:Correct me if I'm wrong but

[Stile+65]

If the hijacker gets on your wireless AP, then he's NATed behind the same public IP address as you. Voila, he matches your IP. Another layer is to also fix the session cookie to the browser's UA string, but that won't work if the attacker knows you're doing it and changes his browser's UA string to match yours. In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.

Re:Correct me if I'm wrong but

[vidarlo]

Even if you don't have encrypted transfer, session cookies can be easily secured by associating them with a certain IP address. The attacker who captures the cookies has a differnt IP address so the cookie is rejected as invalid.

More often than not, all users of a wireless net is behind a NAT device, which makes all the devices have the same official IP. The same applies to most domestic, workplace and school wlans, so really, that would make little or no difference. Now, in a IPv6 world, it would make a difference, since everyone has a unique IP there...

Re:Correct me if I'm wrong but

[TheRaven64]

Even if he's not NAT'd, if he's on the same WLAN then he's on the same broadcast segment as the real owner of the IP, so he can just send packets claiming to be from the legitimate user and run his interface in promiscuous mode to grab the replies.

Re:Could be fixed easily by Google. Shame.

[SatanicPuppy]

They offer it. All you have to do is go to https://mail.google.com/ rather than http://mail.google.com./

I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.

Bottom line

[Kadin2048]

I think the upshot of this isn't really "look at us, we can sniff plaintext Wifi connections," but "look at one of the biggest players in web mail use plaintext connections even though they ought to know it's a hideously bad idea."

It's more of an indictment of Google than anything, because they default to unencrypted HTTP rather than HTTPS, and most users won't know that they can go to https://mail.google.com/mail/ to force smarter behavior.

Re:Bottom line

[It'sYerMam]

And furthermore, if you use google via a customised google page (http://www.google.com/ig) then even if you redirect that to https://.../ then the link to GMail is still regular http.

Re:Could be fixed easily by Google. Shame.

[Bob+535604]

I fail to see how the average person, as usual, being lax about their security is in any way Google's fault. This was something I found immediately, just because I won't check my email without a secure connection.

A lot of people wouldn't know about this or even look for it and you know it. Google could make https the default or even mandatory, and it would completely kill this entire issue.

Re:Could be fixed easily by Google. Shame.

[TheRaven64]

A huge part of security is having sane defaults. If you support 'secure' and 'insecure' you should default to 'secure,' and let users who know what they are doing, and need 'insecure' behaviour opt into it. You shouldn't default to 'insecure' and make it the users' responsibility to select 'secure.'

Always use https://gmail.google.com

[StandardCell]

Although they don't have a public key scheme strong enough for the AES-256 (requires 15360-bit RSA or 256-bit ECC for public key), you should always be logging in using https://gmail.google.com/ from all locations (even home) to ensure the entire session is encrypted.

Security is an application-layer problem.

[Kadin2048]

In summary, secure your wireless AP if you're a user and buy some SSL acceleration hardware so you can support forcing all traffic on your website to use SSL if you're a service provider.

I agree with the latter recommendation about using SSL, but saying 'secure your wireless AP' doesn't do a lot to help the many public wifi locations; I think it's unhealthy to ever assume that a wireless connection will be secure. As more wireless networks are rolled out, and more people get laptops with built-in wireless and traipse happily from home to their local coffeeshop, where they're sharing an IP and an unencrypted connection with many untrusted users, opportunities for sniffing and hijacking are only going to become more common.

As users demand more portability, security and authentication need to be moved (and kept) up at the application layer, and not simply assumed as part of the datalink or physical layers.

Re:Could be fixed easily by Google. Shame.

[teknopurge]

We have redirects setup on all plain-text channels that have a login to SSL, and have for the past 6 years; this is beyond common-sense.

Yes, it is.

[Kadin2048]

You're right that the exploit itself really isn't that new. What's new is twofold:

1) It's being done to Gmail, a service provided by People Who Should Know Better.
2) There is now a tool that allows any script kiddie to do it, meaning that it's no longer a theoretical exploit; it's something that your next-door neighbor is going to be doing to you (or your slightly less-technically-savvy family/friends) if you don't take precautions.

#2 is probably most significant, since it's really what's going to cause #1 to change. Sometimes, producing a GUIed, Windows-based exploit tool is the fastest way to get a problem fixed, because it's the easiest way to turn an academic argument into a real-world security issue that will get resources thrown at it. (Of course, it may also land you in jail.)

Re:Could be fixed easily by Google. Shame.

[fbjon]

They shouldn't tell anyone, just transparently redirect to the secure URL. Sane defaults, and all that jazz. Or at least semi-transparently, with a "redirecting..." page that has a link to both encrypted and unencrypted login URLs, in case some network blocks https.

Re:Could be fixed easily by Google. Shame.

[BewireNomali]

correct me if I'm wrong, but don't most who complain about microsoft OSes point to prior defaults to administrator privileges as a major security concern? If so, by that same reasoning, shouldn't web services default to more secure configurations as opposed to less?

Re:psh

[Applekid]

Maybe not, but the heavenly smell is basically a SSID broadcast of their existance to those interested in finding them.

Re:Could be fixed easily by Google. Shame.

[huge]

Shame on them also?

Yes.

Even if there are others with the same problem doesn't give you excuse to ignore the problem.

Re:ssl and gmai.

[pomerol]

Well, I suspect that the reason they don't serve GMail access over SSL by default is greed and/or the desire to be "green". Serving web content over SSL put significantly higher strain on servers. In Google's case this equates to more CPU cycles and that translates to higher power requirements. More power means higher costs for Google and more carbon emissions into Earth's atmosphere. I would like to believe that "do-no-evil" Google is doing this for the latter reason.

Easy fix

[teslatug]

Bookmark the secure address and use that (who wouldn't over open wireless??). You could also use http://www.customizegoogle.com/ with Firefox if you're using Gmail to force it to go to the secure URL.

Re:thank god...

[Howitzer86]

I have never heard of anyone thanking God that they use Yahoo... in my entire life.

It's not Google's fault...

[overeduc8ed]

It's not Google's fault -- gmail is still in beta! :)

Not the network's job.

[Kadin2048]

That's dumb. An application should never assume that the network it's connected to is secure. It doesn't matter whether you're plugged into switched Ethernet, a wireless LAN, or IP over carrier pigeon -- if you're designing an application that's going to transmit sensitive/assumed-private data (which email clearly is), it's a mistake to just blithely assume that the network is in any way secure.*

An application like Gmail should be treating all network connections as though they're unencrypted Wifi (or hubbed/shared-media Ethernet -- let's not call out 802.11 when there are so many other networking options that can also be trivially compromised); anything else is bad design.

* I'm aware that SMTP is designed like that (as are many other core Internet protocols), but that doesn't mean it's a good idea or even close to technically correct; it was designed in kinder, gentler, and clearly more naive time, and it's caused a whole lot of pain as a result. To do the same thing today is pretty ridiculous.

Make it default to https

[ajs318]

#  This is how I did it:
#
#  Actual snippet from my Apache configuration .....  mostly.
#  Some details have been changed to protect the innocent
#  And some details have been changed to protect the guilty
#
#  The virtual host "secure.mydomain.co.uk" cannot be accessed
#  by http; only by https.
#
#  The insecure port
<VirtualHost 10.11.12.13:80>
    ServerName secure.mydomain.co.uk
    DocumentRoot /var/www/
    <Directory /var/www/>
        RedirectMatch ^/[^iI] /insecure/
        # In this directory is a page with a dire warning
        # that https is required to access this server.
        # NB.  To avoid creating an infinite loop, we never
        # redirect if request begins with I or i.
    </Directory>
</VirtualHost>
#  The secure port
<VirtualHost 10.11.12.13:443>
    SSLEngine on
    .....
</VirtualHost>

Another Extension

[lupine]

I use the Gmail Notifier firefox extension which checks for messages and forces gmail to use secure connections.

Re:Could be fixed easily by Google. Shame.

[AeroIllini]

The user must take responsibility for their own security. Yet we turn around and lambaste Microsoft for allowing users to run as Administrator by default, having no-password logins, not locking down the registry, and allowing 3rd party developers to still require admin privileges just to run a userspace application.

The point is, security is more than just "what's available." It also has to be about how good the defaults are. The technical community cried foul when Microsoft included a firewall in Windows XP but didn't have it turned on by default, and we complained so much that in SP2 Microsoft finally changed the default.

I agree that security is ultimately the responsibility of the user, but they should not have to seek out secure settings and turn them all on one by one. The default mode for any network-enabled program should be Secure. If the user needs Insecure, then they should have to change a setting to make it so. Spam should be opt-in, security should be opt-out. Anything else is unfair to the user.